Spring 安全 Kerberos + AD,校验和失败
Spring Security Kerberos + AD, Checksum Fail
我正在尝试使用 http://docs.spring.io/spring-security-kerberos/docs/1.0.1.RELEASE/reference/htmlsingle/#samples-sec-server-win-auth 中所述的 Active Directory 凭据执行 Spring 安全 Kerberos。我想说我已经记下了大部分内容(SPN、密钥表等)。现在我有一个校验和失败。假设我更改了主体名称,我收到 AES 加密错误。
我正在使用 Spring 在 RHEL 6 上使用 Oracle Java 1.8 + JCE 启动
来自 https://github.com/spring-projects/spring-security-kerberos/tree/master/spring-security-kerberos-samples/sec-server-win-auth
的样本
这是我在 运行 jar
时得到的
Debug is true
storeKey true
useTicketCache false
useKeyTab true
doNotPrompt true
ticketCache is null
isInitiator false
KeyTab is /home/boss/webdev125-3.keytab
refreshKrb5Config is false
principal is http/webdev@EXAMPLE.ORG
tryFirstPass is false
useFirstPass is false
storePass is false
clearPass is false
principal is http/webdev@EXAMPLE.ORG
Will use keytab
Commit Succeeded
.....
2015-11-25 11:29:09.631 DEBUG 5559 --- [nio-8080-exec-3] .a.KerberosServiceAuthenticationProvider : Try to validate Kerberos Token
2015-11-25 11:29:10.003 WARN 5559 --- [nio-8080-exec-3] w.a.SpnegoAuthenticationProcessingFilter : Negotiate Header was invalid:
...
org.springframework.security.authentication.BadCredentialsException: Kerberos validation not successful
at org.springframework.security.kerberos.authentication.sun.SunJaasKerberosTicketValidator.validateTicket(SunJaasKerberosTicketValidator.java:71)
at org.springframework.security.kerberos.authentication.KerberosServiceAuthenticationProvider.authenticate(KerberosServiceAuthenticationProvider.java:64)
at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:156)
...
Caused by: org.ietf.jgss.GSSException: Failure unspecified at GSS-API level (Mechanism level: Checksum failed)
at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:856)
at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:342)
at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:285)
at sun.security.jgss.spnego.SpNegoContext.GSS_acceptSecContext(SpNegoContext.java:906)
at sun.security.jgss.spnego.SpNegoContext.acceptSecContext(SpNegoContext.java:556)
at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:342)
at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:285)
at org.springframework.security.kerberos.authentication.sun.SunJaasKerberosTicketValidator$KerberosValidateAction.run(SunJaasKerberosTicketValidator.java:170)
at org.springframework.security.kerberos.authentication.sun.SunJaasKerberosTicketValidator$KerberosValidateAction.run(SunJaasKerberosTicketValidator.java:153)
... 48 common frames omitted
Caused by: sun.security.krb5.KrbCryptoException: Checksum failed
at sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType.decrypt(Aes256CtsHmacSha1EType.java:102)
at sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType.decrypt(Aes256CtsHmacSha1EType.java:94)
at sun.security.krb5.EncryptedData.decrypt(EncryptedData.java:175)
at sun.security.krb5.KrbApReq.authenticate(KrbApReq.java:281)
at sun.security.krb5.KrbApReq.<init>(KrbApReq.java:149)
at sun.security.jgss.krb5.InitSecContextToken.<init>(InitSecContextToken.java:108)
at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:829)
... 56 common frames omitted
Caused by: java.security.GeneralSecurityException: Checksum failed
at sun.security.krb5.internal.crypto.dk.AesDkCrypto.decryptCTS(AesDkCrypto.java:451)
at sun.security.krb5.internal.crypto.dk.AesDkCrypto.decrypt(AesDkCrypto.java:272)
at sun.security.krb5.internal.crypto.Aes256.decrypt(Aes256.java:76)
at sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType.decrypt(Aes256CtsHmacSha1EType.java:100)
... 62 common frames omitted
其他一些细节:
- /etc/krb5.conf 确实有 default_tgs_enctypes, default_tkt_enctypes 来包含 aes256-cts-hmac-sha1-96
- 应用程序和 krb5.conf
之间的默认密钥表位置匹配
- 正在 windows 服务器上生成密钥表,然后复制到 RHEL
我似乎与现有的服务主体映射有冲突。一旦我清理了它,错误就停止了。这个 link 帮助我找到了解决方案 - https://developer.jboss.org/wiki/ConfiguringJBossNegotiationInAnAllWindowsDomain?_sscc=t
我最近遇到了这个问题。
服务的 DNS 必须与服务主体名称匹配。
主体名称必须以 HTTP/
开头
示例:
服务 DNS:www.ala-bala.com
主体名称必须是:HTTP/ala-bala.com@REALM
领域不必与 DNS 匹配。
如果运行在本地,DNS显然不会匹配主体。
您可以通过向 /etc/hosts 添加一行来解决此问题:
127.0.0.1 ala-bala.com
您还可以使用允许您覆盖 kerberos host/principal 名称的客户端,例如 Python 中的 requests_kerberos。
我正在尝试使用 http://docs.spring.io/spring-security-kerberos/docs/1.0.1.RELEASE/reference/htmlsingle/#samples-sec-server-win-auth 中所述的 Active Directory 凭据执行 Spring 安全 Kerberos。我想说我已经记下了大部分内容(SPN、密钥表等)。现在我有一个校验和失败。假设我更改了主体名称,我收到 AES 加密错误。
我正在使用 Spring 在 RHEL 6 上使用 Oracle Java 1.8 + JCE 启动 来自 https://github.com/spring-projects/spring-security-kerberos/tree/master/spring-security-kerberos-samples/sec-server-win-auth
的样本这是我在 运行 jar
时得到的Debug is true storeKey true useTicketCache false useKeyTab true doNotPrompt true ticketCache is null isInitiator false KeyTab is /home/boss/webdev125-3.keytab refreshKrb5Config is false principal is http/webdev@EXAMPLE.ORG tryFirstPass is false useFirstPass is false storePass is false clearPass is false
principal is http/webdev@EXAMPLE.ORG Will use keytab Commit Succeeded
.....
2015-11-25 11:29:09.631 DEBUG 5559 --- [nio-8080-exec-3] .a.KerberosServiceAuthenticationProvider : Try to validate Kerberos Token 2015-11-25 11:29:10.003 WARN 5559 --- [nio-8080-exec-3] w.a.SpnegoAuthenticationProcessingFilter : Negotiate Header was invalid:
...
org.springframework.security.authentication.BadCredentialsException: Kerberos validation not successful at org.springframework.security.kerberos.authentication.sun.SunJaasKerberosTicketValidator.validateTicket(SunJaasKerberosTicketValidator.java:71) at org.springframework.security.kerberos.authentication.KerberosServiceAuthenticationProvider.authenticate(KerberosServiceAuthenticationProvider.java:64) at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:156)
...
Caused by: org.ietf.jgss.GSSException: Failure unspecified at GSS-API level (Mechanism level: Checksum failed)
at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:856)
at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:342)
at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:285)
at sun.security.jgss.spnego.SpNegoContext.GSS_acceptSecContext(SpNegoContext.java:906)
at sun.security.jgss.spnego.SpNegoContext.acceptSecContext(SpNegoContext.java:556)
at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:342)
at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:285)
at org.springframework.security.kerberos.authentication.sun.SunJaasKerberosTicketValidator$KerberosValidateAction.run(SunJaasKerberosTicketValidator.java:170)
at org.springframework.security.kerberos.authentication.sun.SunJaasKerberosTicketValidator$KerberosValidateAction.run(SunJaasKerberosTicketValidator.java:153)
... 48 common frames omitted
Caused by: sun.security.krb5.KrbCryptoException: Checksum failed
at sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType.decrypt(Aes256CtsHmacSha1EType.java:102)
at sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType.decrypt(Aes256CtsHmacSha1EType.java:94)
at sun.security.krb5.EncryptedData.decrypt(EncryptedData.java:175)
at sun.security.krb5.KrbApReq.authenticate(KrbApReq.java:281)
at sun.security.krb5.KrbApReq.<init>(KrbApReq.java:149)
at sun.security.jgss.krb5.InitSecContextToken.<init>(InitSecContextToken.java:108)
at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:829)
... 56 common frames omitted
Caused by: java.security.GeneralSecurityException: Checksum failed
at sun.security.krb5.internal.crypto.dk.AesDkCrypto.decryptCTS(AesDkCrypto.java:451)
at sun.security.krb5.internal.crypto.dk.AesDkCrypto.decrypt(AesDkCrypto.java:272)
at sun.security.krb5.internal.crypto.Aes256.decrypt(Aes256.java:76)
at sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType.decrypt(Aes256CtsHmacSha1EType.java:100)
... 62 common frames omitted
其他一些细节:
- /etc/krb5.conf 确实有 default_tgs_enctypes, default_tkt_enctypes 来包含 aes256-cts-hmac-sha1-96
- 应用程序和 krb5.conf 之间的默认密钥表位置匹配
- 正在 windows 服务器上生成密钥表,然后复制到 RHEL
我似乎与现有的服务主体映射有冲突。一旦我清理了它,错误就停止了。这个 link 帮助我找到了解决方案 - https://developer.jboss.org/wiki/ConfiguringJBossNegotiationInAnAllWindowsDomain?_sscc=t
我最近遇到了这个问题。
服务的 DNS 必须与服务主体名称匹配。 主体名称必须以 HTTP/
开头示例: 服务 DNS:www.ala-bala.com 主体名称必须是:HTTP/ala-bala.com@REALM
领域不必与 DNS 匹配。
如果运行在本地,DNS显然不会匹配主体。
您可以通过向 /etc/hosts 添加一行来解决此问题: 127.0.0.1 ala-bala.com
您还可以使用允许您覆盖 kerberos host/principal 名称的客户端,例如 Python 中的 requests_kerberos。